For many organizations, security flows from the top down. That’s a problem when executives don’t emphasize security as much as they should. Cisco learned as much in its CISO Benchmark Study “Securing What's Now and What's Next 20 Cybersecurity Considerations for 2020.” Here are just some of the findings from Cisco’s study:
- A majority (89%) of respondents said that their executive leadership considered security to be a high priority—down from 7% across the preceding four years.
- A slightly higher proportion (91%) of survey participants revealed that cyber risk assessments featured in the organization’s overall risk assessment processes. That was 5% less than the previous year.
- Nine in 10 respondents said that their employer’s executive teams established clear metrics for evaluating the organization’s security programs—6% less than the last year.
The reason for these findings wasn’t immediately apparent from Cisco’s study. Even so, the networking hardware company suggested multiple factors as an explanation. Among those was the possibility that communication between security teams and executives had become less clear. This possibility raises several questions. What are the main barriers to effective communication around cybersecurity in an organization? And how does this tie into building a great cybersecurity program across people, process and technology? To find out, Tripwire posed these questions to several CISOs and other security directors. Their responses helped to illustrate how CISOs can foster internal communication around potential security issues within the organization and build a strong digital security culture.
Dump the God Complex and Get Executive Buy-in
Christian Toon, CISO at Pinsent Masons LLP, said that one of the issues hampering effective security communications was infosec professionals’ own inflated view of themselves.
“Our industry makes it hard to talk about the problems in common parlance,” Toon noted. “We make people feel intimidated about the content, and still in 2020, we have way too many God complexes. We shouldn’t. A big problem with this is that we lack diversity in our industry that can help bring about positive change. (There’s a reason it’s known as a ‘God complex’ and not a ‘Goddess complex.’) Organizations try to hire in a particular template, and it inhibits them from becoming more effective around cyber security. If the security team looks like the security leader, there’s a problem.”
Security teams aren’t the only ones who should be involved in these communication channels, however. Executives also have a place in the discussion. The important thing is to recognize the value of these inclusive discussions and promote them. Lou Klubenspies, Senior Director, IT risk management & CISO at PerkinElmer, Inc., made this connection.
“Communication around cyber won’t truly be effective without a culture of security,” Klubenspies explained. “If cyber is viewed as ‘an IT problem’ rather than a business risk that requires everyone’s attention to understand and address it, most messaging will feel like an annoyance at best and will be ignored at worst. It’s important to understand that this culture starts at the top. A CISO needs an executive team who understands the risks and reinforces the message across their portions of the enterprise. In global organizations, language itself can often be an additional barrier. While English is the international language of business in most countries, messages still often need to be translated for certain locales to be able to consume them.”
This message shouldn’t just be inclusive in terms of appealing to the languages of the regions in which they operate and employ people. It needs to be inclusive in another way by addressing the larger organization that exists beyond the information security department. Responsibility for building a cyber security culture exists beyond the duties of security professionals, as Alegeus’ Head of Information Security Nigel Sampson rightly notes.
"Getting executive buy-in for spreading the culture of cybersecurity across the organization is key. Five minutes at Town Hall or having the ability to send emails to all employees are vehicles for sharing cybersecurity good practices to the rest of the organization. Creating a cyber security culture starts at the top and removes barriers at lower levels. The message has to be clear and concise and follow best practices. It should also be coherent and in line with business objectives. Executive management will not sanction cyber security communications unless they understand the message and why the message is being sent. Getting the organization to understand the importance of information security (IS) as well as leveraging best practices and training is key to communicating their role and responsibility when it comes to information security. They need to get the message that just because there is an information security department doesn’t mean that those team members are solely responsible for information security. Each employee has a part to play in the information security program."
Building a Cyber Security Culture
Communication and cyber security culture share a mutually beneficial relationship. It’s therefore no wonder that the former has led us to the latter. Acknowledging that fact, let’s look at what organizations can do to foster a stronger cyber security culture at their workplaces. To start things off, Sampson believes that executives need to explicitly set the intention behind the cyber security culture: "Firstly, executive management have to have a mandate to improve information security. There should also be a member of the information security team on the Executive Leadership Team (ELT), which is normally the Chief Information Security Officer (CISO). Creating executive sponsorship for the information security program is essential to development and expansion. Building trust in information security is key to building a program that covers the risk landscape. The CISO is charged with defining the risks to the organization, sharing the risk profile of the organization with the ELT and providing the mitigating solutions. Having experienced and certified staff on the information security team is essential to efficiency, effectiveness, and leveraging the Return On Investment (ROI) from the technology deployed to mitigate risk." Christina Morillo, cloud security & platform engineering at Microsoft, also believes that executives play an essential part in driving the program forward and articulating its purpose.
“Foundationally, the main factors when building a cybersecurity program are Executive buy-in and sponsorship,” she said. “These include clear lines of accountability and responsibility. Without executive buy-in, sponsorship and support, your initiatives will fall flat. A program of this magnitude must start from the top down. Defining the mission and strategy, clearly articulating and documenting the why and the what as well as aligning this to business risk minimization will help to gain leverage and buy-in across all stakeholders.”
Securing the support of individual execs will help to build momentum behind cultivating a cyber security culture. But without broader support, these efforts will only be so effective. That’s why Toon feels that it’s important for CISOs to get the blessings of the Board as a whole: "Strategic support. The Board having your back is hugely empowering and supportive. Mature risk management practices also help, as they ensure you’re asking the right questions and mitigating threats appropriately. Then there’s a people-centric approach above all others. People often talk about people, process and technology in equal measure, but for me, people win all the time, every time. Getting the right team in place is key, but putting people at the heart of your response will suddenly increase your team size without adding any more budget." CISOs shouldn’t stop there. They should look to broaden out their relationships with other stakeholders, too. Ron Solano, data security officer of technology solutions for the Data Security & Governance Office at OptumInsight of United Health Group, couldn’t agree more.
“In my opinion, working with the business on security programs and processes is key,” Solano explained. “But so too is fostering good relations with the business owners and customers. It’s also worth noting that programs need to be rolled out in an organized manner with good project management. Towards that end, CISO’s must have good PM’s on their team.”
This drives home an important point: CISOs can’t get by just focusing on the technical aspects of their job. They also need to build relationships as an integral part of their positions. To get this done, they can take one of two approaches. “When it comes to people, there are two types of leaders: task-oriented and people-oriented,” noted Klubenspies. “Personally, I am people-oriented; I prefer to hire smart people and then get out of their way and let them do what they do best. I also find that smart people know other smart people, so I leverage those networks as often as possible when hiring. People who feel trusted and invested in, produce better results.” For Klubenspies, those better results come in the form of being honest about where the organization stands in its security posture:
"Pragmatism as well as honest assessments of where you are currently, what your organization’s tolerance for cyber risk is and how much you need to do to get there. The traditional framework-based approach to defining cyber programs is evolving into more of a risk-based approach. The challenge with this is that it’s often harder to accurately quantify cyber risk than it is to select a framework and implement all the controls. That’s why it’s better to go with risk-based results in a program that is better tailored to your organization and that provides executive leadership with the confidence that the cyber investments that are being made are being made in areas that provide the greatest risk reduction for the dollar. Be sure you understand where your program falls on the maturity curve."
By being pragmatic, CISOs can lead their organizations to develop an effective approach for building their cyber security culture across the entire organization. That doesn’t mean that the organization should lump its efforts towards that end all under one department, however. Sometimes it’s best to leave things separate. “Having a budget outside of IT is key to identifying ROI of solutions and separating the information security team from IT,” Sampson observed. “Separating information security from IT doesn’t mean severing communication or collaboration. It creates better communication and collaboration, and it helps evolve a new culture of understanding that information security is as significant as information technology and that it has just as much impact, if not more so, as its performance can sometimes impact the very highest levels of management in the organization. Having best-in-class solutions creates a better threat detection and prevention approach that supports many of the risk frameworks currently used by many information security teams. Ensuring those technologies are integrated is also key. Having a dozen point solutions that have to be continually monitored is not an effective solution to risk mitigation.” Indeed, oftentimes it comes down to identifying the organization’s technology preferences and using those to invest in a solution that works for its needs. Klubenspies elaborated on that point:
"Technology is often a challenge not because we lack it but rather the opposite, that is, because there’s so much of it now. Simply keeping up with the rapid pace of technology feels like a career in itself. It helps to know your own personal style. Are you a bleeding edger? A fast follower? A middle of the pack? A conservative who waits for a technology to fully mature before investing? Do you prefer next-gen, young and hungry vendors who still have some rough edges and a few missing features, or would you rather go with well-established, full-service vendors? Knowing these things will help you narrow your focus and prioritize your technology efforts accordingly."
To find out more about how CISOs can leverage Tripwire’s solutions to keep their organizations safe and build a cyber security culture, click here.
Authors note: This blog was co-authored between Joe Pettit and Mitch Parker
FURTHER READING ABOUT CISOs:
- Security Execs’ Advice on Overcoming the Challenges of Remote Work
How CISOs Can Foster Effective Comms and Build a Cybersecurity Program